The publication of personal data of alleged paedophiles on a website, as well as the publication of a hyperlink to foreign websites where such data can be found, is in conflict with the Dutch Personal Data Protection Act (PDPA). This was determined by the Court of Rotterdam in preliminary relief proceedings in two judgments which were rendered on 24 March 2009 
against a spokeswoman of the action group Stop Kindersex (SKS) (Stop Child Sexual Abuse) about the website stopkindersex.com.
The Facts
On the website stopkindersex.com it had been alleged, inter alia, that the claimant in the first proceedings showed an interest in paedosexuals, that he was a “paedolover” and that he was co-responsible for the sexual abuse of five children. In addition thereto, personal data and photographs had been placed on the Internet.
The second proceedings concerned the American websites dutchpedophilesexposed.org and dutchpredators.org on which personal data and photographs had been published of Dutchmen who had been convicted for paedophilia. These second preliminary relief proceedings were initiated by one of the persons who were mentioned on the American websites. The claimant also objected to hyperlinks on stopkindersex.com to these American websites. In the Netherlands it is not allowed to publish personal data of alleged and/or convicted paedophiles on the Internet this way. According to the owners of the websites, this is allowed in the United States.
Application of the PDPA and Definition of Data Controller
A remarkable thing in these proceedings is that the PDPA has been used as a basis for the judgment. In practice, during proceedings about allegedly unlawful publications, even if it concerns a publication of personal data, usually (only) the general Section 6:162 of the Dutch Civil Code (unlawful act) is chosen as a basis, whether or not in combination with the protection of individual privacy as provided for in the European Convention on Human Rights (ECHR) and the Dutch Constitution. In view of the scope of the concept of ‘processing of personal data’ in the PDPA it is remarkable that this law is not applied more often in such situations. After all, as soon as somebody’s individual privacy is affected by a publication there will generally be processing of data about an identifiable person.
In both proceedings the Court in preliminary relief proceedings reached the conclusion that the defendant is (co-)responsible for the processing of personal data on stopkindersex.com. The Court has assumed that the defendant is the person who “determines the purpose of and means for processing personal data.” The defendant had put up as a defense – though insufficiently substantiated – that she had assigned the website and log-in data for the server to another party that had taken over the administration of the website. However, the Court in preliminary relief proceedings has not limited itself to the question who is ‘authorized in a formal legal sense’ with respect to the website, but has correctly taken an actual consideration as a starting point and has come to the conclusion that it is sufficiently plausible that it is still in the defendant’s power to post and/or delete data. The defendant is still functioning as spokeswoman of Stop Kindersex (SKS), makes statements in the media and her telephone number and e-mail address are mentioned on stopkindersex.com.
Subsequently, in the first proceedings the Court in preliminary relief proceedings came to the judgment that the claimant’s individual privacy had been violated and that this was not outweighed by the defendant’s freedom of expression. When using this freedom of expression a number of basic principles must be observed, including everyone’s right to be presumed innocent until proven guilty and the fact that somebody who has served his sentence is once again a free man, with all the associated (basic) rights. By observing that the website encourages people to take the law into their own hands, which may have serious consequences, the Court is clearly in line with the opinion already expressed by the Dutch Data Protection Authority (DPA) in 2004 that ‘virtual pillories’ are not desirable (see http://www.cbpweb.nl/documenten/med_20040322_vp.stm).
Hyperlinks Are Processing of Personal Data
In the second proceedings an extra intermediate step still had to be taken. On stopkindersex.com there were no details about the claimant, but only hyperlinks to the American websites. The Court in preliminary relief proceedings deemed these hyperlinks to be in conflict with the PDPA too, because the defendant “thus actively provides assistance to the – unlawful – (further) distribution of personal data”. The placing of a hyperlink to personal data on a foreign website is apparently considered to be processing of these data to which the PDPA applies. This can indeed be ranged under the definition of processing of personal data in Section 1 under b of the PDPA, particularly the wording “dissemination by means of (..) any (..) form of making available”. By only making use of a hyperlink to a foreign website, the applicability of the PDPA to the website at issue will therefore not be circumvented.
Is the consequence of this judgment that hyperlinks to websites where unlawful personal data are published also constitute unlawful processing of personal data themselves? This seems, in my opinion correctly, not to be what the Court intended, in view of the above quoted choice of words that the defendant had “actively rendered her assistance” in the dissemination of personal data. This wording suggests that it was considered relevant that the defendant had been aware of the nature of the other websites and also that she had the intention to support the goal of these websites. The apparent intention to guide visitors of stopkindersex.com through to the virtual pillories and to provide the personal details of (alleged) paedophiles to a large audience is apparently also taken into consideration. From a technical legal perspective, the interpretation of the wording “actively rendered her assistance” is important. If this wording would be interpreted differently, hyperlinks of many websites would in principle constitute unlawful processing of personal data. However, even if that had been the case, in practice the consequences for the final judgment would not be substantial. After this first step, it still has to be weighed whether the unlawfulness is not removed because the freedom of expression prevails, considering all circumstances of the case. The various interests that have to be weighed are not substantially influenced by technical legal questions.
In these proceedings regarding the hyperlinks to the American websites, the Court came to the conclusion, as it did in the other case that is described in this article, that the defendant’s freedom of expression does not outweigh the claimant’s privacy and therefore cannot take away the unlawfulness. Incidentally, the claimant in the second proceedings had also claimed that his data would be removed form the American websites. The Court denied this claim, because it is not sufficiently plausible that the defendant is also responsible for the processing of personal data on these American websites.
The Future of Virtual Pillories and Hyperlinks
The line that was chosen with respect to stopkindersex.com is understandable and seems to be correct. On virtual pillories such as these people are stigmatized and there is a clear threat that people will take the law into their own hands. Furthermore, there is a large risk that innocent people who wrongfully end up on a list will at some stage suffer harm, with a long-lasting effect because data do not disappear from the Internet easily, not even after the information is removed from the original website. What happens here is of a different order than the right as formulated, inter alia, in the Telegraaf judgment (Dutch Supreme Court 27 January 1984, NJ 1984/804), of the press to publish about “the existence of accusations of criminal offenses against persons who occupy important (and/or public) positions in society (..) without it being established at the time of publication that these accusations are true and/or may be considered as being true by the press”.
Also the opinion that the hyperlink is unlawful is understandable with respect to a virtual pillory. The same outcome could also have been reached if not the PDPA, but an ‘ordinary’ unlawful act in connection with an intrusion on individual privacy would have been used as a basis. After all, in that case the starting point is that hyperlinks are not unlawful, except if the person placing the hyperlink knew or had to understand that the hyperlink leads to unlawful publications, but does not take any measures to prevent it (cf. Court of Amsterdam in preliminary relief proceedings, 20 June 2002, LJN AE4427, Indymedia/Deutsche Bahn). Whichever of the two routes is taken, subsequently it will still have to be considered whether the freedom of expression does not prevail and thus removes the unlawfulness and liability. This remains a crucial consideration which, in my opinion, could have the same result in both routes. In this respect hyperlinks should only be deemed unlawful in exceptional circumstances, such as intentional references to virtual pillories that provide serious allegations and sabotage manuals for (German) railways.
This article will also be published in the magazine ‘Privacy & Informatie’, 2009/3.
